Privacy notices outline how a company collects, stores, secures and uses personal information collected from customers and people visiting its website. This article will explain how to draft a privacy notice that complies with the requirements laid down in the EU’s General Data Protection Regulation (GDPR).
Before we dive into the key clauses in a GDPR compliant privacy notice, a few definitions:
A data subject is any individual whose personal information is being collected and processed by an organisation for the purposes of a business activity.
A controller is any organisation that collects and uses personal information for business purposes. An individual collecting and processing personal information for the purposes of a purely household activity is not a controller.
Automated decision-making is a decision made by automated means without any human involvement. Examples include recruitment aptitude tests which collect information and use algorithms and criteria to select candidates, and online decisions to grant loans.
What information is collected?
Step 1 is to ensure that the data subjects are informed about the type of personal information that is collected.
Make sure to mention all the different types of information gathered, irrespective of whether the data is shared voluntarily by the data subject or indirectly through the expression of interest for products sold or services provided, through participation in activities or otherwise through any contact with the controller.
Do not forget to tell users about any information that is collected automatically. Examples of information collected automatically would be a user’s IP address or a user’s device characteristics. Although obvious, do not neglect to mention that payment details shared during a transaction will also be collected and stored.
How is the data used?
Step 2 is to inform the data subjects about all the possible ways their personal data will be used.
Data collected should be used in line with the legitimate business interests of your company. These business interests shall be clearly outlined in this section. Examples include, but are not limited to, the performance of a contract entered into with the data subject, to request feedback from customer, to manage user accounts, to send administrative information, to enforce terms and conditions, to send promotional content etc.
Create lawyer-approved contracts for free for 7 days
What are the legal bases?
Step 3 is to let the data subjects know what the legal bases for processing their personal information are.
Statutory legal bases for processing users’ personal information are the following:
- Legitimate interests
- Performance of a contract
- Legal obligations
- Vital interests
- Public interest
Depending on your company’s commercial operations, certain legal bases will be more relevant than others. For example, if you are an online retailer of stationary equipment it is highly unlikely that your customers’ personal information will need to be disclosed in the interest of the general public. Make sure to tailor your privacy notice to your company’s specific operations to avoid unnecessarily lengthy notices.
To ensure compliance with GDPR principles do not neglect to undergo a balancing act to ensure that your customers’ fundamental privacy rights do not outweigh your company’s legitimate business interests.
Who is the data shared with?
Step 4 is to ensure that data subjects are aware of who has access to their personal data and who, if anyone at all, it is shared with.
Data subject information shall not be shared with third parties unless done so pursuant to a legitimate legal basis. If data is shared, you must ensure that third parties respect the provisions of your company’s privacy notice.
How long is the data stored for?
Step 5 is to tell the data subjects how long their information is stored for.
As a rule of thumb, try to store information for no longer than strictly necessary for the purposes outlined in the previous sections of your notice, unless otherwise required by law for taxation and auditing purposes.
How is the data kept secure?
Step 6 is to reassure the data subjects that their information is kept safe.
As a company you must implement appropriate technical and organisational measures in order to protect the security of your data subjects’ information.
Guaranteeing an impenetrable system is probably a bad idea. A brief concession can be made with regards the possibility of a successful cyber attack causing a data breach.
What are your privacy rights?
Step 7 is to make the data subjects aware of their privacy rights.
Data subjects have the right to:
- Access the information a company holds about them.
- Ask a company to correct information they think is incorrect.
- Be informed about how information about them is being processed and used.
- Ask a company to erase information it holds about them.
- Ask a company to stop or limit the processing of their information.
- Get access to their information and reuse it for different purposes (data portability).
- Raise an objection to how their information is used in certain situations.
- Be protected from automated decision-making.
- Intervene in the case of automated decision-making.
Who to contact?
Step 8 is to share the contact details of your company’s data protection officer, or anyone performing a role akin to that of a data protection officer, and to remind the data subjects that any requests regarding their rights can be raised by contacting that person.
You should aim to ensure that your data protection officer is easily contactable and responsive to queries or requests made by data subjects.
Legislate is a contracting platform where business owners can create contracts to help grow and develop their business. Legislate's employment contracts and offer letters are key in protecting your IP and Legislate's NDAs are crucial to ensure you can have conversations and partnerships to help develop your business and brand. Book a demo or sign up today to put the confidence back into contracting.
The opinions on this page are for general information purposes only and do not constitute legal or financial advice on which you should rely.